Don't Trust The Locals: Exploiting Persistent Client-Side Cross-Site Scripting in the Wild Marius Ste ff ens German OWASP Day 2018 joint work with Christian Rossow, Martin Johns and Ben Stock
Dimensions of Cross-Site Scripting Server Client Reflected echo "Welcome ". document.write("Welcome " + $_GET["name"]; location.hash.slice(1)); mysql_query("INSERT INTO posts ..."); localStorage.setItem("name", // .. location.hash.slice(1)); $res = mysql_query("SELECT * FROM // .. Persistent posts"); document.write("Welcome " + while ($row = mysql_fetch_array($res)) { localStorage.getItem("name")); print $res[0]; } Marius Steffens - Don't Trust the Locals � 2
Persistent Client-Side XSS? “With the advent of HTML5, and other browser technologies, we can envision the attack payload being permanently stored in the victim’s browser, such as an HTML5 database, and never being sent to the server at all.” - OWASP Wiki Marius Steffens - Don't Trust the Locals � 3
Research Questions • How many sites of the top 5k make use of data from storages in their client- side code? • On how many sites can such a data flow be abused if an adversary can gain control over the storage? • Out of these, how many sites can be successfully attacked by a network and Web adversary? • To answer: combine taint tracking with automated exploit generation Our previous work (Lekies et al. CCS 2013) + a number of improvements for their shortcomings • Marius Steffens - Don't Trust the Locals � 4
Persistent Client-Side Cross-Site Scripting • Client-side technology allows for storing of data and code Cookies: typically used for preferences and configuration (e.g., language) • bound to eTLD+1 or hostname only • limited storage (typically 4096 bytes), limited charset (e.g., cannot contain semicolon) • Web Storage: used to persist larger pieces of data • bound to origin of the site • Session Storage: persisted only within the same browser window • Local Storage: shared across all windows • http://vuln.com <script> eval(getStorage()); </script> 1 2 attack(); 3 Marius Steffens - Don't Trust the Locals � 5
Interlude: HTTP Strict Transport Security • HTTP header (Strict-Transport-Security) sent by server only valid if sent via HTTPS • • Strict-Transport-Security: max-age=<expiry in seconds> includeSubDomains : header is valid for all subdomains • preload : allows for inclusion in preload list • ensures that site cannot be loaded via HTTP until expiry is reached • • Domains can be preloaded in browsers HSTS preload list (https://hstspreload.org/) • only possible with at least 18 weeks max-age, includeSubDomains • and automatic redirect from HTTP Marius Steffens - Don't Trust the Locals � 6
Persistent Client-Side Cross-Site Scripting: Attacker Models • Requirement for successful attack: persisted malicious payload extracted on every page load; single "infection" is sufficient • • Attacker Model #1: Network Attacker can modify unencrypted connections • cannot get arbitrary TLS certificates • • Capabilities http://vuln.com Cookies: set cookies for any domain without HSTS • 1 or with HSTS but without includeSubDomains • Local Storage: inject items on HTTP sites only • <script> persist(); </script> 3 2 Marius Steffens - Don't Trust the Locals � 7
Persistent Client-Side Cross-Site Scripting: Attacker Models • Attacker Model #2: Web Attacker can force victim's browser to visit any URL • • Attack Vector #1: Abuse existing XSS flaw allows to inject data into origin (Storage) or domain (cookies) • HTTPS does not help at all • • Attack Vector #2: Abuse flows into storage http://attacker.com 1 requires a flow into storage item • 2 http://vuln.com/?vuln=persist() important: same storage item must be later on used • hard to find in practice • <script> persist(); </script> 3 Marius Steffens - Don't Trust the Locals � 8
Persistent Client-Side Cross-Site Scripting: Potential Attacks • Question may arise: why bother with per-user persistent XSS if we need an XSS or an active network adversary in the first place? • Potential answers Infect storage with keylogger - wait for next login • Security-aware user might not login in untrusted Wifi • but will in his home network • Cryptojacking, there is always Cryptojacking • Marius Steffens - Don't Trust the Locals � 9
Sites with flows from cookies/Local Storage Cookies Local Storage Sink Total Plain Exploits Total Plain Exploits 132 (27%) 105 (45%) HTML 496 319 234 226 JavaScript 547 470 72 (13%) 392 385 108 (27%) script.src 1385 533 17 (1%) 626 297 11 (2%) Total 1645 906 213(13%) 941 654 222 (24%) Marius Steffens - Don't Trust the Locals � 10
Exploitability under attacker models • 293 sites can be exploited by a network attacker no HTTPS at all or • due to lack of HSTS or lack of includeSubdomains • • 65 sites have reflected client-side XSS in the same origin • Lower bound on Web attacker no code coverage, no login • not considered any other form of XSS • not considered "trust relations" (domain relaxation, postMessages, ...) • 15% of all page loads seem to set document.domain • not investigated inter- and intra-storage flows (around 100M data flows in our data) • Marius Steffens - Don't Trust the Locals � 11
Types of exploitable stored content • Unstructured Data (214 domains) Can be addressed via proper encoding • • Structured Data (such as JSON, 108 domains) Guess what, don't use eval! • • Client-Side Code Caching (HTML / JavaScript, 101 domains) Service Workers for JavaScript • Integrity measures • • Configuration Information (such as Hostnames, 28 domains) solution depends: mostly whitelisting actually works • Marius Steffens - Don't Trust the Locals � 12
PoC Two Stage Exploit Marius Steffens - Don't Trust the Locals � 13
Summing up • Conducted large-scale study on Alexa Top 5,000 • 1,946 domains make use of storage data in their application 1,324 domains do so without encoding at least once • • 418 domains have exploitable flow from storage 213 from cookie, 222 from Local Storage • • Real-world exploitability by attacker models 293/418 domains vulnerable to network attacker • 65/418 domains vulnerable to Web attacker • • Persistent Client-Side is a more widespread issue than might have been assumed Marius Steffens - Don't Trust the Locals � 14
Recommend
More recommend
